Michael Terpin, a prominent cryptocurrency investor, has filed suit against AT&T seeking to recover $24 million worth of altcoins that were stolen from him, plus an additional $200 million in punitive
Michael Terpin, a prominent cryptocurrency investor, has filed suit against AT&T seeking to recover $24 million worth of altcoins that were stolen from him, plus an additional $200 million in punitive damages. While mainstream news outlets have reported on this case, few have thoroughly examined the legal complaint itself. This article explores those details in depth.
According to Terpin's allegations, his accounts fell victim to not one but two SIM swap attacks. The first occurred before AT&T added him to their "high-risk and celebrity" customer tier. Following that incident, security precautions were supposedly put in place—yet a second attack succeeded anyway.
A SIM swap represents a social engineering scheme targeting wireless carriers. The attacker impersonates the victim either by visiting a physical store or calling customer service. Their goal is to have the carrier transfer the victim's phone number to a new SIM card under the attacker's control. The SIM card—short for Subscriber Identity Module—is removable hardware containing subscriber data and linking a phone number to an account. This design becomes problematic in the context of two-factor authentication systems, which often rely on text message verification codes sent to that phone number.
Theoretically, only one SIM card can represent any given phone number at a time. By obtaining the SIM associated with an account alongside its password, an attacker gains access to that account. The vulnerability lies entirely with carrier employees: transferring a phone number to someone else essentially means surrendering control of that number and all connected accounts to the attacker. Carrier policy typically restricts such transfers to situations involving lost, damaged, or replaced hardware.
Terpin claims that after his first intrusion, he met with AT&T representatives who assured him his SIM could only be transferred if he personally visited a store with a security password. Yet he would experience a second compromise anyway. Once in control of his accounts, hackers proceeded to extract $24 million in various altcoins while Terpin watched helplessly. Throughout the ordeal, he reportedly spent significant time on hold with AT&T's security division—only to learn it operated no customer support on weekends.
Terpin's complaint emphasizes this last detail pointedly: "When Mr. Terpin's telephone went dead on January 7, 2018, he instantly attempted to contact AT&T to have the telephone number immediately cancelled so that the hackers would not gain access to his Personal Information and accounts. Ignoring Mr. Terpin's urgent request, AT&T failed promptly to cancel Mr. Terpin's account, which gave the hackers sufficient time to obtain information about Mr. Terpin's cryptocurrency holdings and to spirit off funds to their own accounts. Adding insult to injury, AT&T placed Mr. Terpin's wife on endless hold (over an hour!) when she asked to be connected to AT&T's fraud department while Mr. Terpin was furiously attempting to see what damage was being done to his accounts. Mr. Terpin's wife never reached AT&T's fraud department because it apparently does not work (or is unavailable) on Sundays. But the hackers work on Sunday!"
The litigation will likely hinge on whether AT&T breached an existing service agreement or made misrepresentations during contract negotiation. Standard telecom contracts typically contain language exempting the carrier from liability for fraud losses, even when the carrier itself bears responsibility. However, courts have previously invalidated such clauses when they conflict with express verbal promises, contradict the plain language of the agreement, or when the parties possessed unequal bargaining strength.
"This might boil down to what degree of care AT&T should provide to its customer base," explains Monty Silley, a New York-based attorney specializing in financial crimes. "If AT&T made an honest mistake or fell victim to a clever social engineering scheme, their contract terms might shield them from simple negligence liability. But if Terpin can establish gross negligence—particularly given AT&T's awareness that his account required heightened protection against fraud—the boilerplate language becomes much harder to defend. [Additionally,] should Terpin demonstrate that an AT&T staff member actively participated in the cryptocurrency theft, his legal position strengthens considerably."
AT&T has been alerted to SIM swap vulnerabilities through prior reporting from outlets like KerbsOnSecurity and Vice. Carrier employees have previously been implicated in conspiracy with cybercriminals. The complaint references an instance where an AT&T employee provided personal data of over 200,000 customers to criminal organizations—a breach that resulted in a $25 million penalty against the company.
For Terpin's legal team, the challenge becomes proving that scenario applies here. Given that only he and his wife possessed the password to his account, Terpin maintains his case has merit. Without the password, a hacker would have needed either staggering incompetence from the carrier employee or deliberate cooperation from that employee to authorize the SIM card switch.
When approached by Reuters for comment, AT&T rejected the allegations, stating: "We dispute these allegations and look forward to presenting our case in court." The company declined further remarks.
The complaint reflects solely Terpin's version of events and his assertions. These remain unproven allegations rather than established legal facts. AT&T will present its own account when proceedings commence. Updates on this case will be provided as developments occur.
